Blog
/
Network
/
May 10, 2024

Connecting the Dots: Darktrace’s Detection of the Exploitation of the ConnectWise ScreenConnect Vulnerabilities

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
10
May 2024
This blog focuses on the exploitation of the ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) and Darktrace’s coverage of affected customer networks in early 2024.

Introduction

Across an ever changing cyber landscape, it is common place for threat actors to actively identify and exploit newly discovered vulnerabilities within commonly utilized services and applications. While attackers are likely to prioritize developing exploits for the more severe and global Common Vulnerabilities and Exposures (CVEs), they typically have the most success exploiting known vulnerabilities within the first couple years of disclosure to the public.

Addressing these vulnerabilities in a timely manner reduces the effectiveness of known vulnerabilities, decreasing the pace of malicious actor operations and forcing pursuit of more costly and time-consuming methods, such as zero-day related exploits or attacking software supply chain operations. While actors also develop tools to exploit other vulnerabilities, developing exploits for critical and publicly known vulnerabilities gives actors impactful tools at a low cost they are able to use for quite some time.

Between January and March 2024, the Darktrace Threat Research team investigated one such example that involved indicators of compromise (IoCs) suggesting the exploitation of vulnerabilities in ConnectWise’s remote monitoring and management (RMM) software ScreenConnect.

What are the ConnectWise ScreenConnect vulnerabilities?

CVE-2024-1708 is an authentication bypass vulnerability in ScreenConnect 23.9.7 (and all earlier versions) that, if exploited, would enable an attacker to execute remote code or directly impact confidential information or critical systems. This exploit would pave the way for a second ScreenConnect vulnerability, CVE-2024-1709, which allows attackers to directly access confidential information or critical systems [1].

ConnectWise released a patch and automatically updated cloud versions of ScreenConnect 23.9.9, while urging security teams to update on-premise versions immediately [3].

If exploited in conjunction, these vulnerabilities could allow a malicious actor to create new administrative accounts on publicly exposed instances by evading existing security measures. This, in turn, could enable attackers to assume an administrative role and disable security tools, create backdoors, and disrupt RMM processes. Access to an organization’s environment in this manner poses serious risk, potentially leading to significant consequences such as deploying ransomware, as seen in various incidents involving the exploitation of ScreenConnect [2]

Darktrace Coverage of ConnectWise Exploitation

Darktrace’s anomaly-based detection was able to identify evidence of exploitation related to CVE-2024-1708 and CVE-2024-1709 across two distinct timelines; these detections included connectivity with endpoints that were later confirmed to be malicious by multiple open-source intelligence (OSINT) vendors. The activity observed by Darktrace suggests that threat actors were actively exploiting these vulnerabilities across multiple customer environments.

In the cases observed across the Darktrace fleet, Darktrace DETECT™ and Darktrace RESPOND™ were able to work in tandem to pre-emptively identify and contain network compromises from the onset. While Darktrace RESPOND was enabled in most customer environments affected by the ScreenConnect vulnerabilities, in the majority of cases it was configured in Human Confirmation mode. Whilst in Human Confirmation mode, RESPOND will provide recommended actions to mitigate ongoing attacks, but these actions require manual approval from human security teams.

When enabled in autonomous response mode, Darktrace RESPOND will take action automatically, shutting down suspicious activity as soon as it is detected without the need for human intervention. This is the ideal end state for RESPOND as actions can be taken at machine speed, without any delays waiting for user approval.

Looking within the patterns of activity observed by Darktrace , the typical  attack timeline included:

Darktrace observed devices on affected customer networks performing activity indicative of ConnectWise ScreenConnect usage, for example connections over 80 and 8041, connections to screenconnect[.]com, and the use of the user agent “LabTech Agent”. OSINT research suggests that this user agent is an older name for ConnectWise Automate [5] which also includes ScreenConnect as standard [6].

Darktrace DETECT model alert highlighting the use of a remote management tool, namely “screenconnect[.]com”.
Figure 1: Darktrace DETECT model alert highlighting the use of a remote management tool, namely “screenconnect[.]com”.

This activity was typically followed by anomalous connections to the external IP address 108.61.210[.]72 using URIs of the form “/MyUserName_DEVICEHOSTNAME”, as well as additional connections to another external, IP 185.62.58[.]132. Both of these external locations have since been reported as potentially malicious [14], with 185.62.58[.]132 in particular linked to ScreenConnect post-exploitation activity [2].

Figure 2: Darktrace DETECT model alert highlighting the unusual connection to 185.62.58[.]132 via port 8041.
Figure 2: Darktrace DETECT model alert highlighting the unusual connection to 185.62.58[.]132 via port 8041.
Figure 3: Darktrace DETECT model alert highlighting connections to 108.61.210[.]72 using a new user agent and the “/MyUserName_DEVICEHOSTNAME” URI.
Figure 3: Darktrace DETECT model alert highlighting connections to 108.61.210[.]72 using a new user agent and the “/MyUserName_DEVICEHOSTNAME” URI.

Same Exploit, Different Tactics?  

While the majority of instances of ConnectWise ScreenConnect exploitation observed by Darktrace followed the above pattern of activity, Darktrace was able to identify some deviations from this.

In one customer environment, Darktrace’s detection of post-exploitation activity began with the same indicators of ScreenConnect usage, including connections to screenconnect[.]com via port 8041, followed by connections to unusual domains flagged as malicious by OSINT, in this case 116.0.56[.]101 [16] [17]. However, on this deployment Darktrace also observed threat actors downloading a suspicious AnyDesk installer from the endpoint with the URI “hxxp[:]//116.0.56[.]101[:]9191/images/Distribution.exe”.

Figure 4: Darktrace DETECT model alert highlighting the download of an unusual executable file from 116.0.56[.]101.
Figure 4: Darktrace DETECT model alert highlighting the download of an unusual executable file from 116.0.56[.]101.

Further investigation by Darktrace’s Threat Research team revealed that this endpoint was associated with threat actors exploiting CVE-2024-1708 and CVE-2024-1709 [1]. Darktrace was additionally able to identify that, despite the customer being based in the United Kingdom, the file downloaded came from Pakistan. Darktrace recognized that this represented a deviation from the device’s expected pattern of activity and promptly alerted for it, bringing it to the attention of the customer.

Figure 5: External Sites Summary within the Darktrace UI pinpointing the geographic locations of external endpoints, in this case highlighting a file download from Pakistan.
Figure 5: External Sites Summary within the Darktrace UI pinpointing the geographic locations of external endpoints, in this case highlighting a file download from Pakistan.

Darktrace’s Autonomous Response

In this instance, the customer had Darktrace enabled in autonomous response mode and the post-exploitation activity was swiftly contained, preventing the attack from escalating.

As soon as the suspicious AnyDesk download was detected, Darktrace RESPOND applied targeted measures to prevent additional malicious activity. This included blocking connections to 116.0.56[.]101 and “*.56.101”, along with blocking all outgoing traffic from the device. Furthermore, RESPOND enforced a “pattern of life” on the device, restricting its activity to its learned behavior, allowing connections that are considered normal, but blocking any unusual deviations.

Figure 6: Darktrace RESPOND enforcing a “pattern of life” on the offending device after detecting the suspicious AnyDesk download.
Figure 6: Darktrace RESPOND enforcing a “pattern of life” on the offending device after detecting the suspicious AnyDesk download.
Figure 7: Darktrace RESPOND blocking connections to the suspicious endpoint 116.0.56[.]101 and “*.56.101” following the download of the suspicious AnyDesk installer.
Figure 7: Darktrace RESPOND blocking connections to the suspicious endpoint 116.0.56[.]101 and “*.56.101” following the download of the suspicious AnyDesk installer.

The customer was later able to use RESPOND to manually quarantine the offending device, ensuring that all incoming and outgoing traffic to or from the device was prohibited, thus preventing any further malicious communication or lateral movement attempts.

Figure 8: The actions applied by Darktrace RESPOND in response to the post-exploitation activity related to the ScreenConnect vulnerabilities, including the manually applied “Quarantine device” action.

Conclusion

In the observed cases of the ConnectWise ScreenConnect vulnerabilities being exploited across the Darktrace fleet, Darktrace was able to pre-emptively identify and contain network compromises from the onset, offering vital protection against disruptive cyber-attacks.

While much of the post-exploitation activity observed by Darktrace remained the same across different customer environments, important deviations were also identified suggesting that threat actors may be adapting their tactics, techniques and procedures (TTPs) from campaign to campaign.

While new vulnerabilities will inevitably surface and threat actors will continually look for novel ways to evolve their methods, Darktrace’s Self-Learning AI and behavioral analysis offers organizations full visibility over new or unknown threats. Rather than relying on existing threat intelligence or static lists of “known bads”, Darktrace is able to detect emerging activity based on anomaly and respond to it without latency, safeguarding customer environments whilst causing minimal disruption to business operations.

Credit: Emma Foulger, Principal Cyber Analyst for their contribution to this blog.

Appendices

Darktrace Model Coverage

DETECT Models

Compromise / Agent Beacon (Medium Period)

Compromise / Agent Beacon (Long Period)

Anomalous File / EXE from Rare External Location

Device / New PowerShell User Agent

Anomalous Connection / Powershell to Rare External

Anomalous Connection / New User Agent to IP Without Hostname

User / New Admin Credentials on Client

Device / New User Agent

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Compromise / Suspicious Request Data

Compliance / Remote Management Tool On Server

Anomalous File / Anomalous Octet Stream (No User Agent)

RESPOND Models

Antigena / Network::External Threat::Antigena Suspicious File Block

Antigena / Network::External Threat::Antigena File then New Outbound Block

Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block

Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach

Antigena / Network::Insider Threat::Antigena Unusual Privileged User Activities Block

Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Pattern of Life Block

List of IoCs

IoC - Type - Description + Confidence

185.62.58[.]132 – IP- IP linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

108.61.210[.]72- IP - IP linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

116.0.56[.]101    - IP - IP linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

/MyUserName_ DEVICEHOSTNAME – URI - URI linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

/images/Distribution.exe – URI - URI linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

24780657328783ef50ae0964b23288e68841a421 - SHA1 Filehash - Filehash linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

a21768190f3b9feae33aaef660cb7a83 - MD5 Filehash - Filehash linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

MITRE ATT&CK Mapping

Technique – Tactic – ID - Sub-technique of

Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

Web Services      - RESOURCE DEVELOPMENT - T1583.006 - T1583

Drive-by Compromise - INITIAL ACCESS - T1189 – NA

Ingress Tool Transfer   - COMMAND AND CONTROL - T1105 - NA

Malware - RESOURCE DEVELOPMENT - T1588.001- T1588

Exploitation of Remote Services - LATERAL MOVEMENT - T1210 – NA

PowerShell – EXECUTION - T1059.001 - T1059

Pass the Hash      - DEFENSE EVASION, LATERAL MOVEMENT     - T1550.002 - T1550

Valid Accounts - DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS - T1078 – NA

Man in the Browser – COLLECTION - T1185     - NA

Exploit Public-Facing Application - INITIAL ACCESS - T1190         - NA

Exfiltration Over C2 Channel – EXFILTRATION - T1041 – NA

IP Addresses – RECONNAISSANCE - T1590.005 - T1590

Remote Access Software - COMMAND AND CONTROL - T1219 – NA

Lateral Tool Transfer - LATERAL MOVEMENT - T1570 – NA

Application Layer Protocol - COMMAND AND CONTROL - T1071 – NA

References:

[1] https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/  

[2] https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708    

[3] https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

[4] https://www.speedguide.net/port.php?port=8041  

[5] https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate

[6] https://www.connectwise.com/solutions/software-for-internal-it/automate

[7] https://www.securityweek.com/slashandgrab-screenconnect-vulnerability-widely-exploited-for-malware-delivery/

[8] https://arcticwolf.com/resources/blog/cve-2024-1709-cve-2024-1708-follow-up-active-exploitation-and-pocs-observed-for-critical-screenconnect-vulnerabilities/https://success.trendmicro.com/dcx/s/solution/000296805?language=en_US&sfdcIFrameOrigin=null

[9] https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

[10] https://socradar.io/critical-vulnerabilities-in-connectwise-screenconnect-postgresql-jdbc-and-vmware-eap-cve-2024-1597-cve-2024-22245/

[11] https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html

[12] https://otx.alienvault.com/indicator/ip/185.62.58.132

[13] https://www.virustotal.com/gui/ip-address/185.62.58.132/community

[14] https://www.virustotal.com/gui/ip-address/108.61.210.72/community

[15] https://otx.alienvault.com/indicator/ip/108.61.210.72

[16] https://www.virustotal.com/gui/ip-address/116.0.56[.]101/community

[17] https://otx.alienvault.com/indicator/ip/116.0.56[.]101

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Justin Torres
Cyber Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

AI

/

March 18, 2025

Survey findings: How is AI Impacting the SOC?

Default blog imageDefault blog image

There’s no question that AI is already impacting the SOC – augmenting, assisting, and filling the gaps left by staff and skills shortages. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes to AI cybersecurity in 2025. Our findings revealed striking trends in how AI is changing the way security leaders think about hiring and SOC transformation. Download the full report for the big picture, available now.

Download the full report to explore these findings in depth

The AI-human conundrum

Let’s start with some context. As the cybersecurity sector has rapidly evolved to integrate AI into all elements of cyber defense, the pace of technological advancement is outstripping the development of necessary skills. Given the ongoing challenges in security operations, such as employee burnout, high turnover rates, and talent shortages, recruiting personnel to bridge these skills gaps remains an immense challenge in today’s landscape.

But here, our main findings on this topic seem to contradict each other.

There’s no question over the impact of AI-powered threats – nearly three-quarters (74%) agree that AI-powered threats now pose a significant challenge for their organization.  

When we look at how security leaders are defending against AI-powered threats, over 3 out of 5 (62%) see insufficient personnel to manage tools and alerts as the biggest barrier.  

Yet at the same time, increasing cyber security staff is at the bottom of the priority list for survey participants, with only 11% planning to increase cybersecurity staff in 2025 – less than in 2024. What 64% of stakeholders are committed to, however, is adding new AI-powered tools onto their existing security stacks.

The conclusion? Due to pressures around hiring, defensive AI is becoming integral to the SOC as a means of augmenting understaffed teams.

How is AI plugging skills shortages in the SOC?

As explored in our recent white paper, the CISO’s Guide to Navigating the Cybersecurity Skills Shortage, 71% of organizations report unfilled cybersecurity positions, leading to the estimation that less than 10% of alerts are thoroughly vetted. In this scenario, AI has become an essential multiplier to relieve the burden on security teams.

95% of respondents agree that AI-powered solutions can significantly improve the speed and efficiency of their defenses. But how?

The area security leaders expect defensive AI to have the biggest impact is on improving threat detection, followed by autonomous response to threats and identifying exploitable vulnerabilities.

Interestingly, the areas that participants ranked less highly (reducing alert fatigue and running phishing simulation), are the tasks that AI already does well and can therefore be used already to relieve the burden of manual, repetitive work on the SOC.

Different perspectives from different sides of the SOC

CISOs and SecOps teams aren’t necessarily aligned on the AI defense question – while CISOs tend to see it as a strategic game-changer, SecOps teams on the front lines may be more sceptical, wary of its real-world reliability and integration into workflows.  

From the data, we see that while less than a quarter of execs doubt that AI-powered solutions will block and automatically respond to AI threats, about half of SecOps aren’t convinced. And only 17% of CISOs lack confidence in the ability of their teams to implement and use AI-powered solutions, whereas over 40% those in the team doubt their own ability to do so.

This gap feeds into the enthusiasm that executives share about adding AI-driven tools into the stack, while day-to-day users of the tools are more interested in improving security awareness training and improving cybersecurity tool integration.

Levels of AI understanding in the SOC

AI is only as powerful as the people who use it, and levels of AI expertise in the SOC can make or break its real-world impact. If security leaders want to unlock AI’s full potential, they must bridge the knowledge gap—ensuring teams understand not just the different types of AI, but where it can be applied for maximum value.

Only 42% of security professionals are confident that they fully understand all the types of AI in their organization’s security stack.

This data varies between job roles – executives report higher levels of understanding (60% say they know exactly which types of AI are being used) than participants in other roles. Despite having a working knowledge of using the tools day-to-day, SecOps practitioners were more likely to report having a “reasonable understanding” of the types of AI in use in their organization (42%).  

Whether this reflects a general confidence in executives rather than technical proficiency it’s hard to say, but it speaks to the importance of AI-human collaboration – introducing AI tools for cybersecurity to plug the gaps in human teams will only be effective if security professionals are supported with the correct education and training.  

Download the full report to explore these findings in depth

The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.  

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

March 18, 2025

Darktrace's Detection of State-Linked ShadowPad Malware

Default blog imageDefault blog image

An integral part of cybersecurity is anomaly detection, which involves identifying unusual patterns or behaviors in network traffic that could indicate malicious activity, such as a cyber-based intrusion. However, attribution remains one of the ever present challenges in cybersecurity. Attribution involves the process of accurately identifying and tracing the source to a specific threat actor(s).

Given the complexity of digital networks and the sophistication of attackers who often use proxies or other methods to disguise their origin, pinpointing the exact source of a cyberattack is an arduous task. Threat actors can use proxy servers, botnets, sophisticated techniques, false flags, etc. Darktrace’s strategy is rooted in the belief that identifying behavioral anomalies is crucial for identifying both known and novel threat actor campaigns.

The ShadowPad cluster

Between July 2024 and November 2024, Darktrace observed a cluster of activity threads sharing notable similarities. The threads began with a malicious actor using compromised user credentials to log in to the target organization's Check Point Remote Access virtual private network (VPN) from an attacker-controlled, remote device named 'DESKTOP-O82ILGG'.  In one case, the IP from which the initial login was carried out was observed to be the ExpressVPN IP address, 194.5.83[.]25. After logging in, the actor gained access to service account credentials, likely via exploitation of an information disclosure vulnerability affecting Check Point Security Gateway devices. Recent reporting suggests this could represent exploitation of CVE-2024-24919 [27,28]. The actor then used these compromised service account credentials to move laterally over RDP and SMB, with files related to the modular backdoor, ShadowPad, being delivered to the  ‘C:\PerfLogs\’ directory of targeted internal systems. ShadowPad was seen communicating with its command-and-control (C2) infrastructure, 158.247.199[.]185 (dscriy.chtq[.]net), via both HTTPS traffic and DNS tunneling, with subdomains of the domain ‘cybaq.chtq[.]net’ being used in the compromised devices’ TXT DNS queries.

Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Figure 1: Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.
Figure 2: Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.

Darktrace observed these ShadowPad activity threads within the networks of European-based customers in the manufacturing and financial sectors.  One of these intrusions was followed a few months later by likely state-sponsored espionage activity, as detailed in the investigation of the year in Darktrace’s Annual Threat Report 2024.

Related ShadowPad activity

Additional cases of ShadowPad were observed across Darktrace’s customer base in 2024. In some cases, common C2 infrastructure with the cluster discussed above was observed, with dscriy.chtq[.]net and cybaq.chtq[.]net both involved; however, no other common features were identified. These ShadowPad infections were observed between April and November 2024, with customers across multiple regions and sectors affected.  Darktrace’s observations align with multiple other public reports that fit the timeframe of this campaign.

Darktrace has also observed other cases of ShadowPad without common infrastructure since September 2024, suggesting the use of this tool by additional threat actors.

The data theft thread

One of the Darktrace customers impacted by the ShadowPad cluster highlighted above was a European manufacturer. A distinct thread of activity occurred within this organization’s network several months after the ShadowPad intrusion, in October 2024.

The thread involved the internal distribution of highly masqueraded executable files via Sever Message Block (SMB) and WMI (Windows Management Instrumentation), the targeted collection of sensitive information from an internal server, and the exfiltration of collected information to a web of likely compromised sites. This observed thread of activity, therefore, consisted of three phrases: lateral movement, collection, and exfiltration.

The lateral movement phase began when an internal user device used an administrative credential to distribute files named ‘ProgramData\Oracle\java.log’ and 'ProgramData\Oracle\duxwfnfo' to the c$ share on another internal system.  

Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.
Figure 3: Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.

Over the next few days, Darktrace detected several other internal systems using administrative credentials to upload files with the following names to the c$ share on internal systems:

ProgramData\Adobe\ARM\webservices.dll

ProgramData\Adobe\ARM\wksprt.exe

ProgramData\Oracle\Java\wksprt.exe

ProgramData\Oracle\Java\webservices.dll

ProgramData\Microsoft\DRM\wksprt.exe

ProgramData\Microsoft\DRM\webservices.dll

ProgramData\Abletech\Client\webservices.dll

ProgramData\Abletech\Client\client.exe

ProgramData\Adobe\ARM\rzrmxrwfvp

ProgramData\3Dconnexion\3DxWare\3DxWare.exe

ProgramData\3Dconnexion\3DxWare\webservices.dll

ProgramData\IDMComp\UltraCompare\updater.exe

ProgramData\IDMComp\UltraCompare\webservices.dll

ProgramData\IDMComp\UltraCompare\imtrqjsaqmm

Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.
Figure 4: Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.

The threat actor appears to have abused the Microsoft RPC (MS-RPC) service, WMI, to execute distributed payloads, as evidenced by the ExecMethod requests to the IWbemServices RPC interface which immediately followed devices’ SMB uploads.  

Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.
Figure 5: Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.

Several of the devices involved in these lateral movement activities, both on the source and destination side, were subsequently seen using administrative credentials to download tens of GBs of sensitive data over SMB from a specially selected server.  The data gathering stage of the threat sequence indicates that the threat actor had a comprehensive understanding of the organization’s system architecture and had precise objectives for the information they sought to extract.

Immediately after collecting data from the targeted server, devices went on to exfiltrate stolen data to multiple sites. Several other likely compromised sites appear to have been used as general C2 infrastructure for this intrusion activity. The sites used by the threat actor for C2 and data exfiltration purport to be sites for companies offering a variety of service, ranging from consultancy to web design.

Screenshot of one of the likely compromised sites used in the intrusion. 
Figure 6: Screenshot of one of the likely compromised sites used in the intrusion.

At least 16 sites were identified as being likely data exfiltration or C2 sites used by this threat actor in their operation against this organization. The fact that the actor had such a wide web of compromised sites at their disposal suggests that they were well-resourced and highly prepared.  

Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Figure 7: Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com    
Figure 8: Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com  

Cyber AI Analyst spotlight

Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.
Figure 9: Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.  
Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.
Figure 10: Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.

As shown in the above figures, Cyber AI Analyst’s ability to thread together the different steps of these attack chains are worth highlighting.

In the ShadowPad attack chains, Cyber AI Analyst was able to identify SMB writes from the VPN subnet to the DC, and the C2 connections from the DC. It was also able to weave together this activity into a single thread representing the attacker’s progression.

Similarly, in the data exfiltration attack chain, Cyber AI Analyst identified and connected multiple types of lateral movement over SMB and WMI and external C2 communication to various external endpoints, linking them in a single, connected incident.

These Cyber AI Analyst actions enabled a quicker understanding of the threat actor sequence of events and, in some cases, faster containment.

Attribution puzzle

Publicly shared research into ShadowPad indicates that it is predominantly used as a backdoor in People’s Republic of China (PRC)-sponsored espionage operations [5][6][7][8][9][10]. Most publicly reported intrusions involving ShadowPad  are attributed to the China-based threat actor, APT41 [11][12]. Furthermore, Google Threat Intelligence Group (GTIG) recently shared their assessment that ShadowPad usage is restricted to clusters associated with APT41 [13]. Interestingly, however, there have also been public reports of ShadowPad usage in unattributed intrusions [5].

The data theft activity that later occurred in the same Darktrace customer network as one of these ShadowPad compromises appeared to be the targeted collection and exfiltration of sensitive data. Such an objective indicates the activity may have been part of a state-sponsored operation. The tactics, techniques, and procedures (TTPs), artifacts, and C2 infrastructure observed in the data theft thread appear to resemble activity seen in previous Democratic People’s Republic of Korea (DPRK)-linked intrusion activities [15] [16] [17] [18] [19].

The distribution of payloads to the following directory locations appears to be a relatively common behavior in DPRK-sponsored intrusions.

Observed examples:

C:\ProgramData\Oracle\Java\  

C:\ProgramData\Adobe\ARM\  

C:\ProgramData\Microsoft\DRM\  

C:\ProgramData\Abletech\Client\  

C:\ProgramData\IDMComp\UltraCompare\  

C:\ProgramData\3Dconnexion\3DxWare\

Additionally, the likely compromised websites observed in the data theft thread, along with some of the target URI patterns seen in the C2 communications to these sites, resemble those seen in previously reported DPRK-linked intrusion activities.

No clear evidence was found to link the ShadowPad compromise to the subsequent data theft activity that was observed on the network of the manufacturing customer. It should be noted, however, that no clear signs of initial access were found for the data theft thread – this could suggest the ShadowPad intrusion itself represents the initial point of entry that ultimately led to data exfiltration.

Motivation-wise, it seems plausible for the data theft thread to have been part of a DPRK-sponsored operation. DPRK is known to pursue targets that could potentially fulfil its national security goals and had been publicly reported as being active in months prior to this intrusion [21]. Furthermore, the timing of the data theft aligns with the ratification of the mutual defense treaty between DPRK and Russia and the subsequent accused activities [20].

Darktrace assesses with medium confidence that a nation-state, likely DPRK, was responsible, based on our investigation, the threat actor applied resources, patience, obfuscation, and evasiveness combined with external reporting, collaboration with the cyber community, assessing the attacker’s motivation and world geopolitical timeline, and undisclosed intelligence.

Conclusion

When state-linked cyber activity occurs within an organization’s environment, previously unseen C2 infrastructure and advanced evasion techniques will likely be used. State-linked cyber actors, through their resources and patience, are able to bypass most detection methods, leaving anomaly-based methods as a last line of defense.

Two threads of activity were observed within Darktrace’s customer base over the last year: The first operation involved the abuse of Check Point VPN credentials to log in remotely to organizations’ networks, followed by the distribution of ShadowPad to an internal domain controller. The second operation involved highly targeted data exfiltration from the network of one of the customers impacted by the previously mentioned ShadowPad activity.

Despite definitive attribution remaining unresolved, both the ShadowPad and data exfiltration activities were detected by Darktrace’s Self-Learning AI, with Cyber AI Analyst playing a significant role in identifying and piecing together the various steps of the intrusion activities.  

Credit to Sam Lister (R&D Detection Analyst), Emma Foulger (Principal Cyber Analyst), Nathaniel Jones (VP), and the Darktrace Threat Research team.

Appendices

Darktrace / NETWORK model alerts

User / New Admin Credentials on Client

Anomalous Connection / Unusual Admin SMB Session

Compliance / SMB Drive Write  

Device / Anomalous SMB Followed By Multiple Model Breaches

Anomalous File / Internal / Unusual SMB Script Write

User / New Admin Credentials on Client  

Anomalous Connection / Unusual Admin SMB Session

Compliance / SMB Drive Write

Device / Anomalous SMB Followed By Multiple Model Breaches

Anomalous File / Internal / Unusual SMB Script Write

Device / New or Uncommon WMI Activity

Unusual Activity / Internal Data Transfer

Anomalous Connection / Download and Upload

Anomalous Server Activity / Rare External from Server

Compromise / Beacon to Young Endpoint

Compromise / Agent Beacon (Short Period)

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Connection / POST to PHP on New External Host

Compromise / Sustained SSL or HTTP Increase

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Device / Multiple C2 Model Alerts

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Download and Upload

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Low and Slow Exfiltration

Anomalous Connection / Uncommon 1 GiB Outbound  

MITRE ATT&CK mapping

(Technique name – Tactic ID)

ShadowPad malware threads

Initial Access - Valid Accounts: Domain Accounts (T1078.002)

Initial Access - External Remote Services (T1133)

Privilege Escalation - Exploitation for Privilege Escalation (T1068)

Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)

Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)

Lateral Movement - Remote Services: Remote Desktop Protocol (T1021.001)

Lateral Movement - Remote Services: SMB/Windows Admin Shares (T1021.002)

Command and Control - Proxy: Internal Proxy (T1090.001)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Encrypted Channel: Asymmetric Cryptography (T1573.002)

Command and Control - Application Layer Protocol: DNS (T1071.004)

Data theft thread

Resource Development - Compromise Infrastructure: Domains (T1584.001)

Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)

Privilege Escalation - Valid Accounts: Domain Accounts (T1078.002)

Execution - Windows Management Instrumentation (T1047)

Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)

Defense Evasion - Obfuscated Files or Information (T1027)

Lateral Movement - Remote Services: SMB/Windows Admin Shares (T1021.002)

Collection - Data from Network Shared Drive (T1039)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Encrypted Channel: Asymmetric Cryptography (T1573.002)

Command and Control - Proxy: External Proxy (T1090.002)

Exfiltration - Exfiltration Over C2 Channel (T1041)

Exfiltration - Data Transfer Size Limits (T1030)

List of indicators of compromise (IoCs)

IP addresses and/or domain names (Mid-high confidence):

ShadowPad thread

- dscriy.chtq[.]net • 158.247.199[.]185 (endpoint of C2 comms)

- cybaq.chtq[.]net (domain name used for DNS tunneling)  

Data theft thread

- yasuconsulting[.]com (45.158.12[.]7)

- hobivan[.]net (94.73.151[.]72)

- mediostresbarbas.com[.]ar (75.102.23[.]3)

- mnmathleague[.]org (185.148.129[.]24)

- goldenborek[.]com (94.138.200[.]40)

- tunemmuhendislik[.]com (94.199.206[.]45)

- anvil.org[.]ph (67.209.121[.]137)

- partnerls[.]pl (5.187.53[.]50)

- angoramedikal[.]com (89.19.29[.]128)

- awork-designs[.]dk (78.46.20[.]225)

- digitweco[.]com (38.54.95[.]190)

- duepunti-studio[.]it (89.46.106[.]61)

- scgestor.com[.]br (108.181.92[.]71)

- lacapannadelsilenzio[.]it (86.107.36[.]15)

- lovetamagotchith[.]com (203.170.190[.]137)

- lieta[.]it (78.46.146[.]147)

File names (Mid-high confidence):

ShadowPad thread:

- perflogs\1.txt

- perflogs\AppLaunch.exe

- perflogs\F4A3E8BE.tmp

- perflogs\mscoree.dll

Data theft thread

- ProgramData\Oracle\java.log

- ProgramData\Oracle\duxwfnfo

- ProgramData\Adobe\ARM\webservices.dll

- ProgramData\Adobe\ARM\wksprt.exe

- ProgramData\Oracle\Java\wksprt.exe

- ProgramData\Oracle\Java\webservices.dll

- ProgramData\Microsoft\DRM\wksprt.exe

- ProgramData\Microsoft\DRM\webservices.dll

- ProgramData\Abletech\Client\webservices.dll

- ProgramData\Abletech\Client\client.exe

- ProgramData\Adobe\ARM\rzrmxrwfvp

- ProgramData\3Dconnexion\3DxWare\3DxWare.exe

- ProgramData\3Dconnexion\3DxWare\webservices.dll

- ProgramData\IDMComp\UltraCompare\updater.exe

- ProgramData\IDMComp\UltraCompare\webservices.dll

- ProgramData\IDMComp\UltraCompare\imtrqjsaqmm

- temp\HousecallLauncher64.exe

Attacker-controlled device hostname (Mid-high confidence)

- DESKTOP-O82ILGG

References  

[1] https://www.kaspersky.com/about/press-releases/shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world  

[2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf

[3] https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

[4] https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

[5] https://assets.sentinelone.com/c/Shadowpad?x=P42eqA

[6] https://www.cyfirma.com/research/the-origins-of-apt-41-and-shadowpad-lineage/

[7] https://www.csoonline.com/article/572061/shadowpad-has-become-the-rat-of-choice-for-several-state-sponsored-chinese-apts.html

[8] https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group

[9] https://cymulate.com/threats/shadowpad-privately-sold-malware-espionage-tool/

[10] https://www.secureworks.com/research/shadowpad-malware-analysis

[11] https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/

[12] https://hackerseye.net/all-blog-items/tails-from-the-shadow-apt-41-injecting-shadowpad-with-sideloading/

[13] https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator

[14] https://www.domaintools.com/wp-content/uploads/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf

[15] https://www.nccgroup.com/es/research-blog/north-korea-s-lazarus-their-initial-access-trade-craft-using-social-media-and-social-engineering/  

[16] https://www.microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

[17] https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/  

[18] https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/  

[19] https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html  

[20] https://usun.usmission.gov/joint-statement-on-the-unlawful-arms-transfer-by-the-democratic-peoples-republic-of-korea-to-russia/

[21] https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/1/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF  

[22] https://kyivindependent.com/first-north-korean-troops-deployed-to-front-line-in-kursk-oblast-ukraines-military-intelligence-says/

[23] https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/  

[24] https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/  

[25] https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/    

[26] https://thehackernews.com/2022/06/state-backed-hackers-using-ransomware.html/  

[27] https://blog.checkpoint.com/security/check-point-research-explains-shadow-pad-nailaolocker-and-its-protection/

[28] https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors

Continue reading
About the author
Sam Lister
SOC Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI